Bug #69356
closedHandling of uploaded files not within open_basedir
100%
Description
When the "upload_tmp_dir" folder is not within the "open_basedir" an Exception will get thrown:
throw new \InvalidArgumentException('File "' . $localFilePath . '" does not exist.', 1319552745);
Because of this line:
The method "addFile()" will get called from "addUploadedFile()": https://git.typo3.org/Packages/TYPO3.CMS.git/blob/HEAD:/typo3/sysext/core/Classes/Resource/ResourceStorage.php#l1806
The exception will get thrown because "file_exists()" will return FALSE when called with a file argument outside of open_basedir.
But according to the "move_uploaded_file" PHP manual function description "move_uploaded_file" is aware of "open_basedir" but will only perform checks for the target argument - the source argument (uploaded file) is checked otherwise: http://php.net/manual/en/function.move-uploaded-file.php#refsect1-function.move-uploaded-file-notes
The proper solution would be to use "file_exists()" next to "is_uploaded_file()" or'ed together. Patch will get sent to gerrit.
When trying to reproduce this problem take the following PHP bug into account: https://bugs.php.net/bug.php?id=41824.
So take care that both the "open_base_dir" and the "upload_tmp_dir" reside on the same filesystem - because otherwise the "move_uploaded_file" PHP function will internally not just "rename()" the file (which will bypass source open_basedir restrictions) but will use "php_copy_file()". Please also note that only PHP 4.4.3 and later will be affected (So also all 5.x versions)